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STRICTLY PRIVILEGED & CONFIDENTIAL 

Cayman National Bank and Trust Company (Isle of Man) Limited 
Cayman National House 

4-8 Hope Street 

Douglas 

Isle of Man 

IM1i 1AQ 


Attn: Ian C. Whan Tong Esq, Group Legal Counsel 
23 June 2016 


Dear Sirs 


Provision of forensic technology, cyber security and investigative services 


We have been instructed by Cayman National Bank and Trust Company (Isle of Man) Limited to 
report on the provision of forensic technology, cyber security and investigative services in accordance 
with our engagement letter dated 19 January 2016 as updated on 9 February 2016 (Appendix 3). 


This document has been prepared only for Cayman National Bank and Trust Company (Isle of Man) 
Limited and solely for the purpose and on the terms agreed with Cayman National Bank and Trust 
Company (Isle of Man) Limited. We will allow a copy of this report to be made available to Cayman 
National Corporation Limited and the Isle of Man Financial Services Authority on the basis that you 
agree we have no liability (including liability for negligence) to either of them and that the report is 
provided for information purposes only. If either party rely on this report, they do so entirely at their 
own risk. 


We accept no liability (including for negligence) to anyone else in connection with this document, and 
it may not be provided to anyone else without our prior written consent. 


We will provide no opinion, attestation or other form of assurance with respect to our services or the 
information upon which the services are based, other than to commit that we will work to the 
standards within our industry for this kind or work and to PwC standards. We will not audit or 
otherwise verify the information supplied to us in connection with this engagement, from whatever 
source, except as specified in this engagement letter. The procedures we will be performing will not 
constitute an examination in accordance with generally accepted auditing standards. 


_& 
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If you require any clarification or further information, please do not hesitate to contact Steve 
Billinghurst of this firm on 01624 689711 or via email at steve.billinghurst@iom.pwc.com. 


Yours faithfully 


a 
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Executive Summary 


Background 


On 7 January 2016, Cayman National Bank and Trust Company (Isle of Man) Limited (“CNBT”) 
detected the clearance of a number of unusual SWIFT payments during their daily reconciliation 


procedures. 


On 19 January 2016, PwC were engaged by CNBT to provide cyber incident response services. This 
primarily involved specialist technical assistance to establish the full fact pattern of the incident in 
order to understand whether the remediation actions taken by CNBT had contained the incident, and 


if not, to identify and remediate any ongoing malicious activity. 
Key Findings 


Intrusion Overview 


Following an initial internal investigation, CNBT determined that the payments had not been initiated 
legitimately and as a consequence, CNBT believed that it had been the target of a network breach. 


CNBT’s own initial investigation suggested that this banking fraud was perpetrated using legitimate 
systems, user accounts and credentials. 


Evidence from the PwC investigation suggests that the attacker(s) was able to gain privileged remote 


access to individual employee systems and the server esiate. 
This access would have also permitted full control of all systems on the CNBT network. 


In order to maintain a foothold in CNBT’s network and extract data from a number of the affected 
systems, the attackers distributed malicious software (malware) across the IT estate. Investigatory 
work carried out suggests the attackers followed a modus operandi frequently associated with 
organised Cyber Crime style attacks. 


The attackers used their privileged remote access and malware to navigate the CNBT network, identify 
and view documentation that helped them understand payment processes, and subsequently 


processed a series of fraudulent transactions. 


From our review, no evidence came to light that any CNBT employee was directly involved in the 


intrusion and attack. 


Systems Impacted 


1.10 Initially, ten key systems and two servers were forensically preserved and analysed by PwC. 
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Seven of these systems were confirmed to be compromised by the attackers. 


The attackers targeted and compromised servers holding the software and documentation necessary 
to perpetuate the fraud, as well as specific workstations of CNBT staff who make use of the SWIFT 
portal as part of their daily duties. 


The attackers used legitimate account credentials and malicious software to gain unrestricted 
administrative access to the CNBT network and systems, allowing them to navigate the CNBT network 


in much the same manner as internal system and network administrators would be able to. 


The malware that was identified on the seven compromised systems, which was installed by or 


associated with the attackers, enabled the attackers to conduct data theft from those systems. 


Much of the attacker(s) activity identified was conducted from a server which is used by a third party 
contracting service. In our extensive review, we found no evidence that any CNBT employee(s) was 


directly involved in the attack. 


Data Impacted 


The malware installed gave the attacker(s) the capability to record and extract keystrokes on the 
affected systems. 


Evidence indicates that the attacker(s) targeted documents relating to the methodology used by CNBT 
to process SWIFT payments. 


Given the level of access availed to the attacker(s) during the intrusion, it is highly likely that 
additional data has been exfiltrated. Where possible throughout our engagement, we have forensically 
preserved evidence which would support an exhaustive investigation into this data theft, while 
focusing on our objective of containing the network intrusion and removing the attackers from the 
CNBT network. 


Nevertheless, due to the absence of necessary forensic artefacts, it was not possible to definitively 
determine whether additional data was extracted at the point the fieldwork was completed. This 
absence of artefacts is due to the attacker(s) performing clean-up operations of certain activities and 


the ageing off of the available data. 


Subsequent to the completion of the fieldwork and based on our ongoing discussions and 
collaboration with several law enforcement agencies, they have located and secured the physical 
server(s) used by the attackers in the Netherlands. We have applied to gain access to the data to share 
it with you, but at the date of this report this has not been received. Any further analysis of the data is 


not covered by the scope of the engagement letter set out in Appendix 3. 
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Disruption Status 


In tandem with PwC recommendations provided throughout our investigation, CNBT have actioned a 


remediation strategy to disrupt the attacker(s)’ access to their network. This has included but is not 


limited to: 

a. Resetting account credentials on the Active Directory servers and the SWIFT portal; 

b. Disabling the SWIFT BIC; 

c. Revising firewall rulesets to ensure that network traffic was being filtered as necessary; 

d. Blocking access to the attacker(s)’ malicious infrastructure and, 

e. Deployment of proprietary PwC network sensors to detect malicious activity across the CNBT 


network. 


Key Recommendations 


We have outlined some key recommendations based on our observations during our investigation, 
which we believe will be important in enhancing CNBT’s overall security posture. These 
recommendations will assist in the prevention and detection of further intrusion activity on the CNBT 
network, the development of better operational security practices and, importantly, seek to ensure 
that CNBT can maximise the learnings from this specific incident. A detailed list of recommendations 


can be found in section 6 of this document. 


PwC is aware that CNBT have already undertaken actions to implement some initial strategies in 
order to isolate and remediate the initial intrusion. These actions were taken as part of the initial 
mitigation plan provided to CNBT on 1 March 2016, as outlined in Appendix 2. It is reeommended 
that the milestones within this initial plan should be completed as a minimum. The follow on 
recommendations are designed to complement and/or strengthen the security posture across the 
CNBT IT estate and prevent future incidents. 


We strongly advise that any initiative to implement the recommendations above is coordinated as part 
of a formal security improvement programme. This should be developed and project managed to 
assist in the organisation of resources to effectively deploy the proposed recommendations and should 
be coordinated internally, or by an external partner who has successfully executed security 
improvement and transformation programmes. Some of the recommendations may require input 
and/or resource from the CNC Group, and we recommend implementing these recommendations 


across the entire CNC group if such controls and processes do not already exist. 
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Scope 


Service Overview 


Our Services were performed and this deliverable was developed in accordance with our engagement 
letter dated 19 January 2016 and addendum dated 08 February 2016. They are subject to the terms 


and conditions included therein. 


As outlined in the engagement letter dated 19 January 2016, PwC were requested to determine the full 
fact pattern of the incident in order to understand its root cause, whether it has been contained and, if 
not, to identify and remediate any ongoing malicious activity. PwC were to conduct the following tasks 


to gain this understanding: 


a. Understand the CNBT network environment and gather all known facts relating to the incident 
(“incident response mobilisation”); 

b. Preserve evidence of the systems known to be involved in the cyber incident (“evidence 
preservation”); 

c. Conduct targeted interrogations of log and system data to attempt to establish the fact pattern 
of the threat actor’s activity (“threat activity investigation”); 

d. Independently establish the sequence of events that led to the perpetration of the fraud; and, 

e. Provide a containment and mitigation strategy to remove the attacker(s) from the network and 


limit the attacker(s)’ ability to re-establish access (“incident containment and mitigation”). 


On 8 February 2016, following the communication of our preliminary findings to CNBT, an addendum 
to the engagement letter was agreed and the scope of the assessment was expanded to include the 


following: 


a. Conduct investigations on additional systems that had not been included in the original scope 
but had been identified to be part of the attack during the preliminary analysis phase; and, 

b. Deploy network monitoring hardware to identify any ongoing attacker(s) activity in the network 
(“network monitoring”). 


For further detail, please review the engagement letter on the scope of the services requested. 
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Investigation 


Introduction 


The following section summarises the history of events that occurred and CNBT’s response to the 


incident. 


As part of the investigation we have identified a number of key events from the forensic images and 


log data analysed. 


A high level timeline of malicious activity can be found below, which contains the events relevant to 


the investigation in chronological order. A detailed timeline of events is provided in Appendix 1. 


The majority of the malicious activity identified from forensic analysis was found on two servers, the 
Domain Controller (DC) and the Primacy server. The attackers used the “Primacy Support” 
credentials repeatedly, which enabled them to gain access to all resources and machines on the 
network, since these credentials have full administrative privileges. Due to the lack of availability of 
log file data and other supporting records, it is not possible to conclude on whether the attack 
originated from Primacy, involved Primacy staff or former staff members, or whether the vulnerability 
was introduced by Primacy. We believe it would take a significant amount of further analysis to try to 


determine this with any certainty, and there is a strong possibility that no further conclusion could be 
reached. 


The investigation has identified the 8th December 2015 as the earliest known date of the attackers 


activity. Due to the absence of necessary forensic data we are unable to determine if this was the initial 
point of compromise. 


Further detail around individual events can be found below in the Analysis and Findings section 
below. 


June 2016 PwC e 9 


Privileged and Confidential 















Automated 


SWIFT System 
Activity 


Action 1: evidence 
suggesis that the attackers 
have reviewed documents 
that may have helped them 
navigate their way around 
the network and facilitate 
the SWIFT payments. 


Colour | Description 






















Action 2-6: the attacker 
executes a specialised tool 
and a file transfer 
application. A connection to 
an external IP was opened 
to transfer data. 





Action 7: first malicious 
PowerShell activity that has 
been observed. 





Action 8: The 
“Primacy.Support” user 
logged on to the Domain 
Controller for the first time. 


Action 10: An attempt was 
made by the Primacy 
Support user to extract to 
contents of 
“Audrey.Butterworth” 
mailbox. 


June 2016 








08/12/2015 01:48:52 


The Pnmacy User Accessed Atp;// 
94 102.51[.]143/Uploads/ 






08/12/2015 02:02:51 


“First Time The Pnmacy Support User Logped 
OM CM ir aee url ees te log 


17/12/2015 23:30:00 


“Attempted Mail Box Dump Of The 
““Audrey.Butterworth™ Mail Account By 
Primacy Support Account” 
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December 






Uvere sm 
08/12/2015 00:32:36 


Attacker Rewewed Documents 


Acton 2 
08/12/2015 01:16:00 


Attacker Tool Sfk Exe Was 
Executed 


Aion 4 
08/12/2015 01:30:00 


File Transfer Tool Winscp. Exe 
Was Executed 


Acton 5 
08/12/2015 01:46:19 


The Pnmacy User Accessed ftp:// 
94.102 51[.]143/Uploads/ 


vatreins) 











Action 7 
08/12/2015 01:55 ‘52 


First Malicous Powershell Actvity Observed 
In The Evert Logs 








Acton 8 








Action 9 
08/12/2015 02:06:38 


Attacker Revewed Documents 





Adion 10 


Figure 1 - Timeline of key events 
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Action 11: 
Primacy.Suppori user logs 
on to Andrew Cubbon’s 
computer. 


Action 12: the first SWIFT 
payment was made 


Action 14: 
Primacy.Support logs on to 
Andrew Cubbon's 
computer. 


Action 15-30: A number 
of connections to the 
SWIFT are observed and 
payments are initialised. 
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Utes pal 
05/01/2016 17:07:54 


Primacy Support Log On 


Action 12 
05/01/2016 17:58:41 


Ast Of 10 Swift Payments 
Initiated 


Action 13 
05/01/2016 18:09:21 


2nd Of 10 Swift Payments 
Intuated 


Action 14 
05/01/2016 18:15:57 


Primacy.Support Log On 





Action 15 
06/01/2016 17:36:33 


Connected To ‘Swift-R7- 
Cnbtimdd:Customneighborhood" 


Action 16 
06/01/2016 18:01:31 


3rd Of 10 Swift Payments 
Initiated 


Action 17 
06/01/2016 18:08:55 


4th Of 10 Swift Payments 
Initiated 


Action 18 
06/01/2016 18:11:01 


Disconnected From 'Swift-R7- 
Cnbtimdd:Customneighborhood' 


Action 19 
06/01/2016 18:23:29 


Connected To ‘Swift-R7- 
Cnbtimdd:Customneighborhood" 


Action 20 
06/01/2016 18:38:16 


5th Of 10 Swift Payments 
Initiated 
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Action 15-30: A number 
of connections to the 
SWIFT are observed and 
payments are initialised. 


Action 23: A SWIFT 
payment is rejected. 
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Action 21 
06/01/2016 18:38:54 


Disconnected From ‘Swift-R7- 
Cnbtimdd:Customneighborhood" 


Action 22 
06/01/2016 18:49:17 


Connected To ‘Swift-R7- 
Cnbtimdd:Customneighborhood' 


Action 23 
06/01/2016 19:10:55 


6th Of 10 Swift Payments 
Initiated (Rejected) 


Acton 24 
06/01/2016 19:21:25 


7th Of 10 Swift Payments 
eel 
06/01/2016 19:28:25 


8th Of 10 Swift Payments 
Initiated 


Acton 26 i 
06/01/2016 19:36:18 -- 


Oth Of 10 Swift Payments 
Initiated 
Action 27 
06/01/2016 19:37:01 


Disconnected From "Swift-R7- 
Cnbtimdd:Customneighborhood" 


Action 28 
06/01/2016 20:32:41 


Connected To 'Swift-R7- 
Cnbtimdd:Customneighborhood' 


Action 29 
06/01/2016 20:43:57 


10th Of 10 Swift Payments 
Initiated 
Action 30 
06/01/2016 20:44:28 


Disconnected From 'Swift-R7- 
Cnbtimdd:Customneighborhood' 
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Action 31: 
Primacy.support logoff 
Andrew Cubbon’s computer 


Action 32: 
Primacy.Support2 logs on 
to Andrew Cubbon’s 
computer 


Action 33: 
Primacy.Support2 logs off 
Andrew Cubbon’s computer 
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Action 31 
06/01/2016 23:31:30 


Primacy Support Log Off 


Acton 32 
07/01/2016 17:05:23 


Primacy.Support2 Log On 
Action 33 
07/01/2016 17:06:44 


Primacy Support2 Log Off 
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4. Analysis and Findings 


41 


4.3 


Introduction 


Our high-level approach to conducting this investigation involved: 


a. Host forensics - to detect and recover evidence of any tools and malware used by the 
attacker(s); 
b. Log-file analysis - to identify historic attacker(s) activity with the goal of identifying the time 


and location of the initial infiltration; 


C. Reverse engineering - to determine the full function of malware identified and develop 
signatures; 
d. Threat intelligence - to identify any other known indicators of compromise and infrastructure 


previously used by the attacker(s); and, 
e. Network monitoring - to monitor the CNBT network for any ongoing attacker(s) activity on the 
network. 


Methodology 


On 19 January 2016, PwC investigators visited the CNBT offices to preserve and collect data from the 
suspect systems in accordance with PwC data acquisition procedures. Once data had been retained, it 
was secured and transported to the PwC Cyber Labs to undergo analysis with the aim of identifying 


the root cause of the incident. 
Our work analysing suspect systems consisted primarily of: 


Bulk loading of all the acquired images to PwC’s segregated forensic lab environment; 
Generation of timelines from files and system artefacts; 

Targeted searches for malware using known indicators of compromise and custom signatures; 
Log analysis; 


Manual analysis of key files and logs; and, 


mh oo oF Pp 


Generation of a detailed incident timeline (Appendix 1). 
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Identified Systems 


PwC investigators have performed a targeted analysis on the primary workstations identified by 
CNBT, these included those of Andrew Cubbon and Rosaline (Roz) Melia (the “Breached 
Workstations”). In addition to these two workstations, the Domain Controller and exchange server 


were also included in this analysis phase. 


Receipt of the Dataset 


¥ 


| Analysis of Antivirus Logs | 


v 


Commercial Antivirus / Malware scans 


¥v 


Automated threat intelligence scans (YARA) | 


¥ 


Review of OS and File System Artefacts | 


v 


Time generation and comparison of workstations 


Initially the data was loaded to the PwC network and a scan was run across the primary hosts using 


both commercial and proprietary solutions in order to identify traces of known malware. 


PwC custom heuristics / intelligence have been used to identify additional malicious software and 


files, the results from these scans were investigated and reviewed. 


A number of operating system and file system artefacts have also been examined to locate any 
evidence of malicious software execution. This analysis resulted in a number of interesting artefacts 


(additional detail can be found in the timeline located in Appendix 1), such as: 


a. The use of WinSCP, an FTP (“File Transfer Protocol”) client that was not known to be used by 


CNBT; 
b. A high number of PowerShell commands in the event logs; and, 
¢. Several remote logins to computers and servers that stood out as abnormal activity. 


The identification of a number of malicious events allowed a pivot point to be identified; this was then 
used to identify additional artefacts across all of the forensic images and create a comprehensive 
timeline of the attacker(s)’ activity on the CNBT network. 


' Pivot Point — An event or time/date that allows us to focus the investigation 
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Initially, ten key systems and two servers were forensically preserved and analysed by PwC. Seven of 


these systems were confirmed to be compromised by the attackers and have been provided in Table 1 























below. 

Hostname I.P Address Activity 

DC 192.168.101.250 Malicious PowerShell activity 

Andrew Cubbon 192.168.101.78 Malicious PowerShell activity, 
Interactive logons using 
“primacy.support” and 
“primacy.support2” accounts 

Primacy 192.168.101.10 


Roz Melia 





Exchange Server 


192.168.101.247 


192.168.101.67 





Gary Kermode 


192.168.101.129 





192.168.101.61 


Ftp tools and evidence of connections 
to Attacker(s) IP address 





Evidence of attacker(s) attempting to 
extract mailbox and Malicious 
PowerShell activity 





Malicious PowerShell activity 





Malicious PowerShell activity 





Malicious PowerShell activity 


Table 1 - Compromised Systems 


The available evidence on the attacker(s)’ activities suggests that: 


» 


The attacker(s) was able to gain access to the Primacy server on 8 December 2015 at 01:16. 


A FTP Server tool (sfk.exe) was executed at 01:16 (at some point after this the file was deleted). 


A FTP client (WinSCP.exe) was executed at 01:30 and approximately 16 minutes after this a 
connection to ftp: //94.102.51[.]143/uploads/ was established and the user navigated 


to the “/Uploads/” folder. This activity was performed by the “Primacy” user. 


pu 


malicious PowerShell script is executed. 


@ 


The first malicious activity on the Domain Controller occurs at 01:55 - the first time the 


The Primary server was used by the attackers to facilitate access to the rest of the network and 


systems. A more detailed breakdown of malicious activity can be found below. 


Although the first sign of compromise located during this investigation was on 8 December 2015, 


there is evidence to suggest the attacker(s) was running automated scans against the webserver 


(WINCAYM-DCgEBRX) from the malicious IP address 94 .102.51[.]143 as early as 12 July 2015. 


This can be seen as the first entry in the detailed timeline in Appendix 1. 
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Identified System Accounts 


During our investigation we determined that the attackers had used the following Windows system 


accounts to gain access to the network: 














User Activity 
Administrator . - 
Primacy Used to connect to Attackers IP address via 
FTP 
Primacy.Support Used for RDP access 
Primacy.Support2 Used for RDP access 


Table 2 - Compromised accounts 


The attackers had accessed the domain controllers and there was wide usage of malicious key logging 
software; it would be prudent to assume that all accounts and passwords that had been used on the 
network would have been compromised by the attackers. This includes, but is not limited to, 


passwords relating to: portals, other systems, personal banking, emails and third-party services. 


Files that the attacker(s) had accessed 


During the analysis it became clear that the attackers had accessed a number of files that could have 
helped them navigate their way around the network and systems. The access times were determined 
using forensic artefacts identified on disk and within the registry that highlight recently opened 


documents. 


Table 3 below shows the files that may have been accessed by the attacker(s) once they gained access 
to the network. 






































Computer Date Time Notes 

Name 

Primacy 2015-12-08 00:32:36 Attacker(s) accessing documents: 
Screenshot 2014-09-18 21.20.16.png 

Primacy 2015-12-08 00:32:56 Atiacker(s) accessing documents: 
Screenshot 2014-09-18 21.25.44.png 

Primacy 2015-12-08 00:32:56 Attacker(s) accessing documents: 
Screenshot 2014-09-18 21.20.16.png 

Primacy 2015-12-08 00:32:56 Attacker(s) accessing documents: 
Screenshot 2014-09-18 21.13.00.png 

Primacy 2015-12-08 00:32:56 Attacker(s) accessing documents: Fee 
Charged.png 

Primacy 2015-12-08 00:32:56 Attacker(s) accessing documents: Default 


Settings for Invoicing.png 
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Computer Date Time Notes 

Name 

Primacy 2015-12-08 01:19:38 Attacker(s) accessing folder: Wire transfer 
Insiructions 091214 

Primacy 2015-12-08 01:52:57 Attacker(s) accessing folder: Training notes 

Primacy 2015-12-08 01:52:57 Attacker(s) accessing folder: forex training 
session 071101 

DC 2015-12-08 02:06:38 Attacker(s) accessing folder: Web Banker 
Clients 

DC 2015-12-08 02:06:38 Attacker(s) accessing documents: Blue 
Sea.docx 

DC 2015-12-08 02:12:42 Aittacker(s) accessing documents: anti 
money laundering.htm 

DC 2015-12-08 02:13:03 Attacker(s) accessing documents: anti 
money laundering_files 

DC 2015-12-08 02:13:03 Attacker(s) accessing documents: 


vulnerability asssessment - may 2012.pdf 








DC 2015-12-08 02:15:46 Attacker(s) accessing documents: 
Procedures for uploading transactions.docx 








DC 2015-12-08 02:18:13 Attacker(s) accessing documents: upload 
transactions template - international 
payment (CCY) DO NOT USE.xlsx 



































DC 2015-12-08 02:21:41 Attacker(s) accessing documents: Mr N D 
Hamilion Letter 1 3 December 2015.docx 

DC 2015-12-08 02:22:18 Attacker(s) accessing documents: Mr ND 
Hamilton Letter 2 4 December 2015.docx 

DC 2015-12-08 02:22:47 Attacker(s) accessing documents: 
Winchester Trading Letter 2 29 October 

2015.docx 
Andrew Cubbon 2015-12-10 05:01:04 Attacker(s) accessing documents: 


IMG_4327.Ink 











Andrew Cubbon 2015-12-10 05:03:01 Attacker(s) accessing documents: 
DSC_0575.Ink 





Andrew Cubbon 2015-12-10 05:03:11 Attacker(s) accessing documents: CNCIOM 
- Add new forms to Web Banker.Ink 














Andrew Cubbon 2015-12-10 05:04:37 Attacker(s) accessing documents: Copy of 
BUPA Breakdown 150930.lnk 








Andrew Cubbon 2015-12-10 05:05:29 Attacker(s) accessing documents: Cayman 
top floor 161111 1.Ink 





Andrew Cubbon 2015-12-10 05:05:48 Attacker(s) accessing documents: Cayman 
National Bank - Current details 19 Feb.Ink 











Andrew Cubbon 2015-12-10 05:06:43 Attacker(s) accessing documents: 
Co18507E01-67-T142014.Ink 
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Computer Date Time Notes 
Name 
Andrew Cubbon 2015-12-10 05:06:43 Attacker(s) accessing documents: Manx 


Electronic Submission File.lnk 


Table 3 - Files accessed by the attacker(s) 
4.16 Based on the names of these files it is reasonable to assume that the files may have helped the 


attacker(s) navigate around the systems and helped facilitate the transfer of funds. 


PowerShell Activity 


4.17 The attacker(s) deployed and regularly utilised malicious PowerShell scripts across the network in 
order to gain persistence and facilitate data collection. The first malicious PowerShell activity was 
discovered on the Domain Controller on 8 December 2015 at 01:55:52 and continued until 19 January 


2016. The timeline in Table 4 below details all the PowerShell activity discovered on analysed hosts. 


4.18 Due to the rollover of both event and firewall log file data there is insufficient information available to 
verify if there was any further activity prior to the 8 of December 2015. 
























































System/Custodian Date Time 
Domain Controller 2015-12-08 01:55:52 
Domain Controller 2p 208-4 02:30:21 
Domain Cartelen 2015-12-10 er 
Domain Controller 2015-12-14 16:42:11 
Domain Controller 2015-12-17 15:34:42 
Domain Controller 2015-12-18 11:35:00 
Domain Controller 2015-12-18 11:35:02 
Roz Melia 2015-12-18 12:24:00 
Gary Kermode 2015-12-18 12:49:38 
Keith Bennet 2015-12-18 14:24:00 
Gary Kermode 2015-12-18 raed 
sites Cubbon 2015-12-22 23:12:33 
Andrew Cubbon 2015-12-24 02:08:18 
Roz Melia 2015-12-31 13:03:00 
Andrew Cubbon 2015-12-31 14:59:39 
Andrew Cubbon 2016-01-04 21:18:50 
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System/Custodian Date Time 
Andrew Cubbon 2016-01-05 16:49:20 
Andrew Cubbon 2016-01-06 17:02:51 
Andrew Cubbon 2016-01-06 17:08:42 
Gary Kermode 2016-01-07 17:30:32 
Domain Controller 2016-01-07 18:05:00 
Domain Controller 2016-01-07 18:20:00 
Roz Melia 2016-01-07 18:26:00 
| Roz Melia 2016-01-07 18:46:00 
Roz Melia 2016-01-07 18:49:00 
Domain Controller meyer 00:47:00 
Exchange Server 2016-01-08 00:49:56 
Domain Santeellan 2016-01-19 00:44:08 


Table 4 - PowerShell Activity 


Keylogger output 


4.19 During the investigation we identified that the attacker(s) widely deployed a malicious PowerShell key 


logger script. Following this, PwC identified a large number of files containing users’ keystrokes which 


relate to the malicious key logger, the files and effected systems have been listed below in Table 5. 









































System / Account Path 

Custodian 

Keith Bennet keith. bennett.CNCIM \Users\keith.bennett.CNCIM\Ap 

Desktop pData\Local\Temp\win.log 

Barry Williams barry.williams \Users\barry.williams\AppData\ 
Local\Temp\win.log 

Cheryle Birnie cheryle.birnie \Users\cheryle.birnie\AppData\L 

Desktop ocal\Temp\win.log 

Andrew Cubbon administrator \Users\administrator\AppData\L 

Desktop ocal\Temp\win.log 

Domain Controller —_ natwesi \Users\natwest\AppData\Local\ 
Temp\win.log 

Helene Henderson helen.henderson.CNCIM. \Users\helen.henderson.CNCIM. 

000 000\AppData\Local\Temp\win.1 
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System / Account Path 

Custodian 

Roz Melia roz.melia.CNCIM \Users\roz.melia.CNCIM\AppDat 
a\Local\Temp\win.log 

Tan Bancroft ianbancroft.CNCIM \Users\ianbancroft.CNCIM\App 


Data\Local\Temp\win.log 










































































Nikki O’Connor nikki.oconnor \Users\nikki.oconnor\AppData\L 
ocal\Temp\win.log 

Gary Kermode gary.kermode.CNCIM \Users\gary.kermode.CNCIM\Ap 
pData\Local\Temp\win.log 

Julia Mullarkey julia.mullarkey \Users\julia.mullarkey\AppData\ 
Local\Temp\win.log 

Primacy Server keith.humphreys \Users\keith.humphreys\AppDat 
a\Local\Temp\win.log 

Primacy Server keith.bennett \Users\keith.bennett\AppData\L 
ocal\Temp\win.log 

Primacy Server anita.naylor \Users\anita.naylor\AppData\Lo 
cal\Temp\win.log 

Primacy Server Sarah. Kinrade \Users\Sarah.Kinrade\AppData\ 
Local\Temp\win.log 

Primacy Server anne.johnston \Users\anne.johnston\AppData\ 
Local\Temp\win.log 

Primacy Server nikki.oconnor \Users\nikki.oconnor\AppData\L 
ocal\Temp\win.log 

Primacy Server aaron.deehan \Users\aaron.deehan\AppData\L 
ocal\Temp\win.log 

Primacy Server barry.williams \Users\barry.williams\AppData\ 
Local\Temp\win.log 

Primacy Server julia.mullarkey \Users\julia.mullarkey\AppData\ 
Local\Temp\win.log 

Primacy Server leeann.forster \Users\leeann.forster\AppData\L 
ocal\Temp\win.log 

Primacy Server helen.henderson \Users\helen.henderson\AppDat 


a\Local\Temp\win.log 





Primacy Server 





Hannah.Holden 





\Users\Hannah.Holden\AppData 
\Local\Temp\win.log 





Primacy Server 





jenna.brady 





\Users\jenna.brady\AppData\Lo 
cal\Temp\win.log 





Primacy Server 


cheryle.birnie 





Primacy Server 





\Users\cheryle.birnie\AppData\L 
ocal\Temp\win.log 





roz.whorms 





\Users\roz.whorms\AppData\Loc 
al\Temp\win.log 
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System / Account Path 

Custodian 

Primacy Server alan.donnelly \Users\alan.donnelly\AppData\L 
ocal\Temp\win.log 

Primacy Server angelacaulfield \Users\angelacaulfield\AppData\ 
Local\Temp\win.log 

Primacy Server gary.kermode \Users\gary.kermode\AppData\L 
ocal\Temp\win.log 

Primacy Server nikki.oconnor \Users\nikki.oconnor\AppData\L 
ocal\Temp\win.log 


Table 5 - Keylogger output 
After looking at a number of these logs it is evident that some of them contain a large amount of 


recorded data. 


It would be safe to assume that the atiacker(s) has logs of all the keystrokes made by users from the 
first confirmed malicious activity on 8 December 2015 until the IP/ Domain restrictions were 


implemented on 5 February 2016. 


Attacker(s) accessing internal email 


There is evidence to suggest that the attacker(s) attempted to obtain the contents of the 
"Audrey.Butterworth" mailbox while logged in under the “CNCIM \primacy.support” account. The 
extraction of the mailbox appears to have been unsuccessful on this attempt, however we are unable to 


determine if the attacker(s) was able to successfully export mailbox data at a later stage. 


Review of all email attachments 


An export of all email and attachments contained within the Exchange EDB? mailbox file has been 
conducted. All extracted content was then been scanned with commercial antivirus software and 


PwC’s proprietary threat intelligence signatures. 


We identified several malicious emails, and Table 6 below outlines those that were detected as 


containing malicious email attachmenis. 


? Format used by Exchange server to store all emails - https://technet.microsoft.com/en-us/library/bb124808(v=exchg.65).aspx 
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System / Delivery Time From Subject 
Custodian 
Tony Received: 2007-08- Clifton Farris Something hot 
Edmonds 15 05:51:10 UTC <jessica.davey@bos.dk> 
Tony Received: 2007-08- Adolfo Spicer Here is it 
Edmonds 15 05:51:10 UTC <trygve.dalzell@valeweb.fo. 
co.uk> 
Cheryle Received: 2015-06- Mary Ellen Beasley Invoice #6099-52 
Birnie 29 03:33:32 UTC <employment@brycomm.co 
m> 
Helen Received: 2015-06- Mary Ellen Beasley Invoice #6099-52 
Henderson 29 03:33:32 UTC <employment@brycomm.co 
m> 
Gary Received: 2015-08- csdeployment@swift.com Price Changes 
Kermode 06 10:10:49 UTC 
Gary Sent: 2015-08-06 esdeployment@swift.com Price Changes 
Kermode 10:10:49 UTC 
Barry Received: 2015-08- Gary.Kermode@cnciom.co _ FW: Price Changes 
Williams 10 08:45:36 UTC m 
Lee Received: 2015-09- MAITLER- failure notice 
Penrose 24 13:26:26 UTC DAEMON @athens.phpweb 
hosting.com 
David Received: 2015-10- Kate Cowley Meeting minutes, October 01, 
Thomas 01 09:50:39 UTC <Kate.Cowley@mpes.co.uk 2015 
> 
Roz Melia Received: 2015-12- 276-647-8107 =?UTF- 
14 13:25:42 UTC <direction@foulkcontact.co 8?Q?6_pages_gFax_from_276 
m> -647-8107?= 
Lee Received: 2016-01- 440-465-5488 =?UTF- 
Penrose 13 13:24:42 UTC <sulene.antunes@riovale.co 8?Q?2_pages_Fax_from_440- 


m.br> 


465-5488?= 


Table 6 - EDB detections 


4.25 The majority of these detections, although malicious, are unrelated to this compromise and have been 


4.26 


4.27 


identified as junk by the email system. 


We have identified one attachment of interest -“1_Price Updates 098123876 docs. jar” this 


was attached to an email that was sent to the custodian “Gary Kermode” who then forwarded it to 


“Barry Williams”. 


The Email was initially sent to “Gary Kermode” on the 06 August 2015 and currently resides in the 


user’s inbox and not the Deleted/Junk folder like the other emails in the table above. 
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4.28 The headers of this email suggest that is was received from the domain “cncim[.] com”. This domain 


was registered on the 27% July 2015, it is highly likely that this domain was registered specifically for 
this attack. 


4.29 Once executed the malware calls home on the IP 198.101.10[.]2080n port 1234. 


4.30 Analysis of the malware attached to this email shows that it is “AdWind3” a piece of malware that can 
purchase online by hackers. Due to the timeframes involved we are unable to determine if this 
malware is directly related to the recent incident, however it would appear that this malicious email 


may be specifically designed and targeted to compromise CNBT. 


3 AdWind is a commodity malware which is available for purchase by anyone, it is fully featured and if successfully executed 
allows an atiacker to fully control infected machines, for more technical analysis see the following reports: 


http://blog.checkpoint.com/2016/02/24/adwind-malware-as-a-service-reincarnation/ 
https://isc.sans.edu/forums/diary/Adwind+another+payload+for+botnetbased+malspam/20041/ 
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Network Monitoring Methodology 


To assist with the investigation PwC deployed its network monitoring solution known as SonarShock. 
PwC network intrusion analysts used the platform to search for signs of other compromises, or 


possible re-compromise by the attackers. 


SonarShock is a PwC proprietary solution that allows real time data collection on networks. It is 


designed to perform (amongst other attributes) the following activities: 


a Deep packet inspection (DPI) for signature based detection; 

b. Extraction of suspicious downloads for static analysis; 

c. Recording of network and application layer metadata to enable advanced detection; and, 
d. Short term archiving of packet data to enable deep analysis of suspicious activity. 


The sensor was shipped from PwC UK on 28 January 2016 and was received by the CNBT on 1 
February 2016. The monitoring and analysis of the CNBT network was conducted until 3 March 2016. 


Our work analysing the network activity consisted primarily of: 


a. Reviewing and analysing activity identified using signature based detection; and, 
b. Using the recorded metadata, along with the packet capture, to hunt for other malicious 
activity; 


There were no new major findings identified during this exercise. We did detect ongoing connection 


attempts to the identified malicious infrastructure. This activity came from 5 internal hosts: 


a 192.168.101.9 
b. 192.168.101.10 

c. 192.168.101.247 
d. 192.168.101.250 


e. 192.168.101.251 
Two of these hosts were also detected as being infected with the malicious PowerShell scripts: 


a. 192.168.101.10 
b. 192.168.101.250 


The full details of all the findings will be included as an Excel spreadsheet, the number of events have 


been summarised within the graph below. 
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Events 
100,000 
10,000 
1,000 
100 
: ‘ 
; taal Fy 
Possible TOR Attempted Attempted client Keylogger Powershell Suspicious 
related traffic server compromise __ related traffic malware activity + 
compromise 
Attempted Attempted Attempted Virus Infection Virus Infection Further 
Unauthorized Unauthorized Unauthorized investigation 
Access Access Access required 


* These are events which, within the budget of the engagement, we have been unable to 
conclude on their specific nature. 
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5. Malware Analysis 


5.1 This section details the functionality of the suite of malicious tools that was used by the attacker(s). 


Reverse Shell 


5.2 Areverse shell was the first sample we discovered during our analysis of Windows event logs. The 


reverse shell granted persistence through its installation as a service, the key details of which are 


shown in Figure 2. 


e Account: 





Figure 2 — Service details 


5.3 Once the PowerShell log entry is de-o!fuscated, we get the code shown in Figure 3. 


System.Diagnostics.ProcessStartinfo 





Figure 3 — Main code 


5.4 This code effectively takes the base64 encoded data shown on line 6 in Figure 23 and executes it in 
memory. Once base64 decoded this d«‘a is also ‘gzip’ decompressed to yield the eventual code. The 


string after decoding is shown in Figuve 4. 
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Function 


: :CurrentDomain.GetAssemblies 


-Invoke($ 


function 


MaGetony 


+; CurrentDomain.DefineDynamicAs sembly ; System.Reflection.AssemblyName 
:: Standard 


-SetImplementationFlags 


|: sFromBase64String 
::GetDelegateForFunctionPointer( foljL kernel32.d11 VirtualAllo 
Copy 3g 
it 1: GetDelegateForFunctionPointer( (oljL kernel32.d11 CreateTh 
:+GetDelegateForFunctionPointer’(oljl kernel32.d11 WaitForSingleOb 





Figure 4— The decoded Powe: Sheil 


While the cverall code is obfuscated, 


o 
Or 


ey components and determine that this 





code is a copy of a component of the} tramework is used to execute 


ing “owerShell. In this case, the arbitrary code is contained on line 





5.6 The constants used in the shellcode are obfuscated using ROT13§¢ in places, and at 300 bytes, there is 
little room for the attackers to include any complex functionality. Indeed, the code again appears to be 
borrowed from the Metasploit framework, with the shellcode bearing a strong resemblance to code 
previously discovered and annotated »y others, which can be found online.7 Essentially the shellcode 
calls out to a specified IP address on a given port (in all cases observed so far 94.102.51[.]143 0n 


port 443), and attempts to run the file or shellcode returned in memory. 


5.7 The second artefact recovered during our investigation was a keylogger. While it has not been possible 


to recover the entire script, we have been able to reconstruct the main components. 


5.8 From our review of the code, we quickly identified through the strings present that it was comprised of 
two pieces of publically available code. which had been stitched together. The two primary sources for 


the code appear to be: 


4 https://github.com/rapid7/metasploit-framewor/blob/master/data/templates/scripts/to_mem_pshreflection.ps1.template 
5 https://en.wikipedia.org/wiki/Shellcode 

6 https://en.wikipedia.org/wiki/ROT13 

7 hitp://forensicscontest.com/coniest06/Finalists/Iulian_Anton/narrative. txt 
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a. https://github.com/samratashok/nishang/blob/master/Utility/Do-Exfiltration.ps: (This 
handles the exfiltration of the data to the attackers’ server 

b. https: //github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get- 
Keystrokes.psi (This handles the logging of keystrokes to a given file). 


These two functions perform nearly all of the required actions; aside from the basic functionality 
required to use the scripts together, the author in this case has also added functionality to ensure that 


keystrokes are only collected for a pre-specified period of time, defined in minutes. 


The final component of the script which uses the functions defined is as follows in Figure 5. 





5.12 


Figure § — Aitacker(s) written code to use the scripts pieced together 


Despite the options afforded to the at‘.cker(s) in the “Do-Exfiltration” script, which includes the 
ability to use DNS, ernai! and PasteBi»® for exfiltration, they opted io use the simple webserver based 
exfiltration method. The webserver method of exfiltration can be detected using the Suricata rule 


below: 





alert http any any <> any any Crimeware 


body"; 


(msg: " [PwC] - keylogger POST with Base64 








fiow:from_client,established; urilen:10; 
content:"/index.php"; 


http_uri; 

content:"Accept: */*|0d Oa|"; http header; depth:13; 

content:"|0d 0a|Content-Type: application/x-www-form-urlencoded|0d oa|"; 
http_header; content:!"|0d 0a|Referer:"; 


http_header; pcere:"/* [A-Za-z0-9\/+]+={0,2}$/P"; 
reference:md5,keylogger_ http_pcap.pcap;classtype:trojan-activity; 
metadata: copyright,Copyright PwC UK 2016; 

metadata:tlp amber; 

metadata:confidence Medium; 

metadata:efficacy Medium; 

$id:61110525; rev:2016012701;) 








The format of the keylogging file lends itself to being reliably detected using the following YARA rule: 





rule PowerShell_keylog_ file : Attacker_Scripts 
ec 


rule PowerShell _keylog file : Attacker_Scripts 


{ 

meta: 

author = "PwC Cyber Threat Operations " 

copyright = "Copyright PwC UK 2016 (C)" 

date = "2016-01" 

reference = 0 


https: //github.com/PowerShel1lMafia/PowerSploit/blob/master/Exfiltration/Get- 
Keystrokes.psi" 














8 https://en.wikipedia.org/wiki/Pastebin 
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description = "Regular expression to match the keylog file created by the default 









settings when the referenced ps1 script is used" 

strings: 

$re = /" (A-Za-z0-9 \O\11 {2,64}","(\w|_]|- 
1J\ 0) {2,64}",".","(0]1]2) \d\/\d\a\/ (1]2) \d\a\d: (0]1]2)/ 

condition: 

Sre 


} 


5.13 The data transmitted by the Do-Exfiltration Webserver option can be decoded using the following 


script: 


import zlib 
import sys 
# sys.argv[1] is a file containing the POSTed data in this example 
with open(sys.argv[1],'rb') as infile: 
data = infile.read() 


data = data.decode('base64') 
newdata = zlib.decompress(data, 15 + 32) 
print (newdata) 





5.14 In some cases the same code was packaged in slightly differing ways; however, the use of the same 


core keylogging code remains the same. 
5.15 In all examples discovered during this incident, the exfiltration was to the following URL: 
ai “hxxp://94.102.51[.]143/index.php” 


Malware dropper/downloader 


5.16 The final component discovered is a PowerShell downloader, which again uses base64 encoding to 
conceal the original script as a process argument, along with several common suspicious PowerShell 
flags. 


5.17. Once this is decoded, the key component of the script can be seen in 


Figure 6. 


TEM.NET.WebC1IeNnt 


: /DeFAULtNETWoRKCrEDEnTIals 


$b $Wc . DOWnloaDSTrING {$_-BXoR$K[$ 
IEX ($B-jOin 





Figure 6 — The key component of the base6« encoded script? 
yi } 13) 





° The random capitalisation is an attempt to evace simple string based detection. 
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This effectively makes a request to the specified URL, reads the contents back and uses the key 
defined in the ‘$K’ variable to decode the data using the key. This is a simple downloader and the 
overall result, including with the original encoded PowerShell, is the use of yet another script found on 


GitHub? to create a PowerShell dropper. 


As can be seen in Figure 6, the download is from the domain ‘hxxp://ip.safe- 
banking[.]co:443/index.asp’ and the download is ‘xor’ encoded with the md5 of the text 
“Passi23!@#”. 


The domain ip.safe-banking.co has been hosted on the IP address 96.44.156.210 throughout its active 
period. 


Other Observations 


In addition to the tools listed above it was noted that the attackers made regular use of the remote 
desktop protocol (RDP) to gain access to the CNBT network. We also noted the attackers manually 
initiated a number of FTP connections to the Command and Control (C2) servers highlighted in this 


report. 


Malware Specific Recommendations 


The following are recommendations specifically targeted at mitigating the threat posed by the 
identified malware: 


a. Implement heuristic detection of malicious services running across the enterprise 
Ensure your host-based intrusion prevention system has the ability to detect the different 
components of the Metasploit framework. 


c. Deploy the signatures for the foilowing single value indicators: 


i. 96.44.156[.]210 
ii. ip.safe-banking[.]co 
ii. = §=©.94.102.51[.]143 
Consider implementing an application whitelisting solution that only allows approved PowerShell 


scripis to be executed. 


Ensure logs of PowerShell activity are recorded, logging can be enabled through Group Policy (for 
details see: https://technet.microsoft.com/en-us/library/hh847797.aspx). Ideally collect and analyse 


these logs, looking for signs of suspicious PowerShell flags such as: 


a. -enc 

b. -nop 

C: -W Hidden 

18 https://githuo.com/HarmJOy/Misc-PowerShell/slob/master/Out-EncryptedScriptDropper.ps1 
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d. -NonInteractive 


5.25 PowerShell processes with base64 arguments, or where the process argument contains 


‘FromBase64String’ should be treated with suspicion. 
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Recommendations 


PwC have compiled a list of security recommendations below, which have been divided into short, 
medium term and long term recommendations. An initial mitigation plan and check list was provided 
to CNBT on 1 March 2016 in order to provide guidance on the isolation and mitigation of the initial 
intrusion activity. The steps of this plan are provided in Appendix 2, the recommendations below 
should be considered as a follow on from the initial mitigation plan provided. It is recommended that 
the milestones within the initial plan should be completed as a minimum. These recommendations 


can be used to complement any existing security plans and projects. 


These recommendations are a guide derived from the observations of the attacker(s)’ tools techniques 
and procedures (TTPs) that were identified throughout the investigation. All recommendations should 
be tested prior to implementation and be coordinated as part of a formal security improvement 
programme. This should be developed and project managed to assist in the organisation of resources 
to effectively deploy the proposed recommendations and should be coordinated internally, or by an 
external partner who has successfully executed enterprise security improvement and transformation 


programmes. 


Short Term 


In the short term we recommend a number of high-priority actions. These recommendations will help 
CNBT disrupt both the access of the attackers to the network and the extent of their access once 


present. 


a. Continue to block and monitor access to malicious domains and IP addresses identified during 


the investigation. 


b. Continue to monitor anti-virus hits relating to malware and tools used by the attackers. 

Gs Monitor the real-time usage of privileged accounts on domain controllers. 

d. Monitor for targeted spear phishing emails, look for emails flagged as malicious and that have: 
i. Relevant targeted themes to CNBT users; 


ii. Spoofed CNBT addresses, or other spoofed addresses (publishing your SPF record can 
reduce the likelihood of hackers spoofing the CNBT domain to target other 
organisations); and, 

iii. Look for web mail accounis created in the names of legitimate customers or users. 

Review the structure and allocation of Active Directory administrative accounts to the CNBT network. 
Take steps to ensure that administrative access to servers, workstations and the active directory 


domain, are segregated and that no single administrator account can access all systems, in addition: 


a. Remove unnecessary permissions required by service accounts; 


b. Resirict local administrative privileges for domain users; and, 
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iG. Disallow privileged accounts from accessing the internet, putting in place monitoring for any 


privileged accounis which do require internet access via an exception process. 
Put in place additional monitoring/alerting for anomalous remote access, or attempted access such as 


a. Monitor for malicious/suspect hostnames; and, 


b. Monitor for suspicious connections, i.e. unusual IP Geo patterns, data upload patterns. 
For all remote access and administrative access across the network: 


a. Enforce and confirm that two factor authentication is implemented for all remote access to the 
CNBT network. Consider extending this to include two factor internal access to critical or 
particularly sensitive systems; end, 


b. Ensure all passwords for remote administrative tools are reset at regular intervals. 


Enable and regularly review the output of an application whitelisting solution in monitoring mode, 
identify unwanted or malicious programs being executed across the CNBT network. (e.g. CSP, MS App 
Locker). 


Medium Term 


The medium term recommendations are designed to reduce the likelihood that the attackers could 
regain access to the CNBT network, as well as enabling CNBT to respond to and mitigate against 


attacks in a timely manner. 
Consider implementing an authenticaied proxy: 


a. Allow only authenticated HTTP/HTTPS traffic via the proxy; and, 
b. Disallow direct web connections to the internet without going via the authenticated proxy 


(whitelist allowed machines and IPs at the firewall, i.e. for AV updates). 
Block or quarantine executable content within emails: 
a. Check by file header and not by file extension, and include inspection of compressed files. 
Server-specific: 


a Implement application whitelisting on servers to monitor and prevent unauthorised executable 


content from running; 


b. Disallow internet access from the server for all protocols, whitelist allowed IPs and protocols; 
c. Restrict and or monitor the usage of administrative shares, 
d. Enable a local firewall, whitelist allowed ports and IPs. 


Remoie access/administrative tools: 
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a. Remove unnecessary remote administrative tools, i.e. VNC viewer, team viewer; and, 


b. Monitor and log usage of remote adminisirative tools for suspicious use. 


Passwords (domain, local and application accounts): 


a. Enforce strong and complex passwords; 
b. Enforce password expiry; 

Cs Enforce policy to avoid password re-use; 
d. Disable unused accounts; and, 


Audit and verify user accounts. 


Consider enhancing network visibility by obtaining or deploying Intrusion Detection Service 
capability. 


Continue to identify any remaining vulnerabilities in the CNBT estate through internal and external 


penetration testing. 


As part of a vulnerability management work stream, perform timely patching of both operating system 


vulnerabilities and 3rd party application vulnerabilities, i.e. Acrobat, Flash, MS Office. 


We recommend that a biannual comprehensive ‘sweep’ of systems connected to the CNBT network 


should be performed, using specialised cyber threat detection software, to fulfil two objectives: 


a. Confirm that there is no evidence of re-entry io the CNBT network by the attackers behind the 
incident being investigated; and, 


b. Determine whether any systems are exhibiting signs of compromise by any other threat. 


Consider procuring a tailored cyber threat intelligence feed, focusing on threats against CNBT. Use 
threat intelligence to develop greater awareness which will enable CNBT to more proactively defend 


its network against targeted threats and identify evidence of malicious activity. 


Increase security awareness and improve security culture and behaviour by providing education 
services to all employees. This could include cyber awareness training courses, and enforcing 
acceptable use policies. It is recommended that high-risk employees, such as the executive group, 


receive specialist cyber threat and awareness training on a regular basis. 


Conduct regular penetration tests and vulnerability identification programmes in order to identify 
where there are remaining areas of weakness in the CNBT infrastructure. Implement a formal 


vulnerability management and remediation programme to ensure that any issues are addressed. 
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Long Term 


The long term recommendations are designed to implement further controls to the network, again 
reducing the likelihood of future breaches. The long term recommendations focus on not only 
technical but also procedural elements to enhance the overall security posture and resilience of the 
entire CNBT estate. 


We recommend that CNBT begin by defining their business-wide security requirements. This includes 
items that range from the types of technical controls that will be implemented in specific segments of 
the network, all the way to non-technical requirements such as robust security policy definitions. 
Defining these requirements up-front ensures that security is built into the development or 


acquisition of new systems. 


Following the definition of a full set of security requirements we recommend conducting a formal risk 
assessment, which can be used to populate the board’s risk register with cyber risk elements. This 
analysis should include identifying which elements of the organisation are most likely to be targeted, 
the value to CNBT of the corresponding business that could be lost, and the growth opportunity 
associated with winning more business in that area. This will help to create the business case for 
investment in the more advanced security approach we believe CNBT needs, and to prioritise that 


investment. 


Assign a board representative with responsibility for security, recognising that while IT security has a 


significant role to play, security as a whole is not an IT responsibility. 


Consider appointing a Global Chief Information Security Officer (CISO) or equivalent, who would be 
responsible for overseeing efforts to ensure that information and technology assets - for both current 


and new initiatives - are adequately protected throughout the organisation. 


Establish a dedicated IT security resource with authority to actively hunt for evidence of malicious 
activity on the global CNBT estate. Train this resource to perform incident detection and first-level 


incident response duties for the CNBT network. 


For incidents of a complexity or scale beyond that which can be managed internally, and in the 
interim while appointing a full time IT security team, establish an on-call retainer agreement with a 
third party incident response provider with experience of remediating a wide range of intrusions and 
with a reach aligned to CNBT’s footprint. 


In light of the likelihood of future such incidents, conduct a forensic and crisis readiness review. This 
will ensure that, amongst many things, sufficient logging data is being preserved in order to 
investigate future incidents thoroughly, that formal response plans and procedures are in place, that 
crisis and incident escalation procedures are tested and that out-of-band communication mechanisms 


are established. 
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Conduct a lightweight information governance and classification review to provide an insight into how 
data is being managed throughout CNBT and what iypes of data are likely to be particularly sensitive, 


so that an informed decision can be made about how sensitive data may be handled more securely. 


Consider a programme of network segregation and segmentation, informed by the information 


governance and data classification review, to more robusily protect key information. 
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Caveats and disclaimers 


This report has been prepared in alignment with the services stated in the letter of engagement dated 


ig January 2016. 


We have noi carried out any activities in the nature of a statutory audit nor, except where otherwise 
stated, have we subjected the financial or other information contained in this report to checking or 
verification procedures. Accordingly, we assume no responsibility and make no representations with 
respect to the accuracy or completeness of the information in this report, except where otherwise 
stated. 


We do not accept or assume any liability or duty of care for any other purpose or to any other person 
to whom this report is shown or into whose hands it may come save where expressly agreed by us in 


writing. 


To the extent that our report touches on points of law it should not be taken as expressing an opinion 


thereon. 


In preparing this report and supporting appendices we have relied upon information and explanations 
provided by Cayman National Bank and Trust Company (Isle of Man) Limited. We have performed 


analysis based upon this information. 


Modern computer systems contain such numerous and complicated software components that it is 
neither operationally practical nor economically feasible to determine these components exact 
functional behaviour with certainty. Accordingly, we make no warranty that our work will have 
detected all malware or other malicious software which may be or have been present on the computers 
which we have analysed or that we have been able to determine the exact operational behaviour of the 


malware which we have examined. 


Statements throughout this report relating to the intent and objectives of the attackers are based on 


the collective, subjective experience of PwC cyber threat intelligence and incident response staff. 
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8. Appendix 1 




















System / Daie Time Noies 
Custodian 
WINCAYM- 2015-07-12 00:29:00 Evidence of the malicious IP address 94.102.51[.]143 in 
DC9EBRX the ITS logs, this appears to be an automated scan 
Primacy 2015-12-08 00:32:56 Attacker(s) accessing documents: Screenshot 2014-09- 
18 21.25.44.png 
Primacy 2075-12-08 00:32:56 Attacker(s) accessing documents: Screenshot 2014-09- 


18 21.20.16.png 














Primacy 2015-12-08 00:32:56 Atiacker(s) accessing documents: Screenshot 2014-09- 
18 21.13.00.png 








Primacy 2015-12-08 00:32:56 Attacker(s) accessing documents: Fee Charged.png 





Primacy 2015-12-08 00:32:56 Attacker(s) accessing documents: Default Settings for 
Invoicing.png 



































Primacy 2015-12-08 01:16:00 Application named sfk.exe was executed on this server 

Primacy 2015-12-08 01:19:38 Attacker(s) accessing documents: Training notes 

Primacy 2015-12-08 01:30:00 Application named WinSCP.exe was executed on this 
server 

Primacy 2015-12-08 01:46:19 The Primacy user accessed 


ftp://94.102.51[.]143/uploads/ and may have uploaded 
files to the external address 








Primacy 2015-12-08 01:48:52 The Primacy user accessed 


ftp://94.102.51[.]143/uploads/ and may have uploaded 
files to the external address 























Primacy 2015-12-08 01:52:57. Attacker(s) accessing documents: forex training session 
071101 
Primacy 2015-12-08 01:52:57 + Attacker(s) accessing documents: Screenshot 2014-09- 


18 21.20.16.png 
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System / Date Time Notes 
Custodian 

DC 2015-12-08 01:55:52 First malicious PowerShell activity observed in the event 
logs 

DC 2015-12-08 02:02:44 Evidence of Network logon "Type 3" 

DC 2015-12-08 02:02:51 First time the Primacy.Support user logged on to the 
Domain Controller, The user begins to look at 
documents 

DC 2015-12-08 02:19:17. Attacker(s) accessing documents: Winchester Trading 


Letter 2 29 October 2015.docx 














DC 2015-12-08 02:22:47 Attacker(s) accessing documents: Mr ND Hamilton 
Letter 2 4 December 2015.docx 





DC 2015-12-08 02:22:47 Attacker(s) accessing documents: Mr N D Hamilton 
Letter 1 3 December 2015.docx 























DC 2015-12-08 02:22:47 Attacker(s) accessing documents: Bankline 

DC 2015-12-08 02:22:47 Attacker(s) accessing documents: upload transactions 
template - international payment (CCY) DO NOT 
USE.xlsx 

DC 2015-12-08 02:22:47 Attacker(s) accessing documents: Procedures for 


uploading iransactions.docx 








DC 2015-12-08 02:22:47 Attacker(s) accessing documents: anti money 
laundering _files 











DC 2015-12-08 02:22:47 Attacker(s) accessing documents: vulnerability 
asssessment - may 2012.pdf 











DC 2015-12-08 02:22:47 Attacker(s) accessing documents: Intranet 








DC 2015-12-08 02:22:47 Attacker(s) accessing documents: anti money 
laundering.him 








DC 2015-12-08 02:22:47 Aitacker(s) accessing documents: Web Banker Clients 








DC 2015-12-08 02:22:47 Attacker(s) accessing documents: Blue Sea.docx 
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System / Date Time Notes 
Custodian 
DC 2015-12-08 02:22:47 Attacker(s) accessing documents: Wire transfer 
Instructions 091214 
DC 2015-12-08 02:30:21 Malicious PowerShell activity observed in event logs 
DC 2015-12-10 03:29:23 Malicious PowerShell activity observed in ms logs 
DC 2015-12-14 16:42:11 Malicious PowerShell activity observed in event logs 
DC 2015-12-17 15:34:42 Malicious PowerShell activity observed in event logs 
Exchange Server 2015-12-17 23:30:00 Attempted mai! box dump of the "audrey.butterworth" 
mail account by Primacy Support Account 
DC 2015-12-18 11:35:00 Malicious PowerShell activity observed in event logs 
DC 2015-12-18 11:35:02 Malicious PowerShell activity observed in event logs 
Roz Melia 2015-12-18 12:24:00 Malicious PowerShell activity observed in event logs 
Gary Kermode 2015-12-18 12:49:38 Malicious PowerShell activity observed in event logs 
Keith Bennet 2015-12-18 14:24:00 Malicious PowerShell activity observed in event logs 
Gary Kerrnode 2015-12-18 17:46:58 Malicious PowerShell activity observed in event logs 
WINCAYM- 2015-12-20 02:33:46 Resident file in the SMFT from weblogs Port 21 
DC9EBRX - 
Andrew Cubbon 2015-12-22 23:12:33 Malicious PowerShell activity observed in event logs 
paren Cubbon 2015-12-24 02:08:18 Malicious PowerShell activity observed in event logs 
Roz Melia 2015-12-31 13:03:00 Malicious PowerShell activity observed in event logs 
Andrew Cubbon 2015-12-31 14:59:39 Malicious PowerShell activity observed in event logs 
Andrew Cubbon 2016-01-04 21:18:50 Malicious PowerShell activity observed in event logs 
Andrew Cubbon 2016-01-05 01:22:57 primacy.support Type 10 
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System / Date Time Notes 
Custodian 
Andrew Cubbon 2016-01-05 01:37:26 primacy.support Type 10 
Andrew Cubbon 2016-01-05 01:37:38 primacy.support Type 10 
peat Cubbon 2016-01-05 16:49:20 Malicious PowerShell activity observed in event logs 
Andrew Cubbon 2016-01-05 17:07:54 minassauee Type 10 log on 
SWIFT Portal 2016-01-05 17:58:41 1st of 10 SWIFT Payments initiated 
SWIFT Portal 2016-01-05 18:09:21 2nd of1o0 SWIFT Payments initiated 7 
Andrew Cubbon 2016-01-05 18:15:57 primacy.support Type 10 re log on 
Andrew Cubbon 2016-01-05 18:16:09 _ primacy.support Type 10 log off 
Andrew Cubbon 2016-01-05 18:27:20 primacy.support Type 10 
Andrew Cubbon 2016-01-05 18:27:33 primacy.support Type 10 log on 
Andrew Cubbon 2016-01-05 19:54:06 primacy.support Type 10 
Andrew Cubbon 2016-01-05 19:58:04 primacy.support Type 10 : 
Andrew Cubbon 2016-01-05 19:58:21 primacy.support Type 10 
Andrew Cubbon 2016-01-06 17:02:51 | Malicious PowerShell activity observed in event logs 
Andrew Cubbon 2016-01-06 17:08:42 Malicious PowerShell activity observed in event logs 
Andrew Cubbon 2016-01-06 17:09:36 primacy.support Type 10 log on 
Andrew Cubbon 2016-01-06 17:36:33 CONNECTED io 'SWIFT-R7- 
CNBTIMDD:CustomNeighborhood' 
SWIFT Porial 2016-01-06 18:01:31 3rd of io SWIFT Payments initiated 
SWIFT Portal 2016-01-06 18:08:55 4th of 10 SWIFT Payments initiated 
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System / Date Time Notes 
Custodian 
Andrew Cubbon 2016-01-06 18:11:01 DISCONNECTED from 'SWIFT-R7- 
CNBTIMDD:CustomNeighborhood' 
Andrew Cubbon 2016-01-06 18:23:29 CONNECTED to 'SWIFT-R7- 
CNBTIMDD:CustomNeighborhood' 
Andrew Cubbon 2016-01-06 18:29:45 primacy.suppori Type 10 re log on 
Andrew Cubbon 2016-01-06 18:29:59 primacy.support Type 10 log off 
SWIFT Porial 2016-01-06 18:38:16 5th of 10 SWIFT Payments initiated 
Andrew Cubbon 2016-01-06 18:38:54 DISCONNECTED from 'SWIFT-R7- 
CNBTIMDD:CustomNeighborhood' 
Andrew Cubbon 2016-01-06 18:49:17 CONNECTED to 'SWIFT-R7- 
CNBTIMDD:CustomNeighborhood' 
SWIFT Portal 2016-01-06 19:10:55 6th of io SWIFT Payments initiated (Rejected) 
SWIFT Portal 2016-01-06 19:21:25 7th of 10 SWIFT Payments initiated 
SWIFT Porial 2016-01-06 19:28:25 8th of 10 SWIFT Payments initiated 
SWIFT Porial 2016-01-06 19:36:18 9th of 10 SWIFT Paymenis initiated 
Andrew Cubbon 2016-01-06 19:37:01 DISCONNECTED from 'SWIFT-R7- 
CNBTIMDD:CustomNeighborhood' 
Andrew Cubbon 2016-01-06 20:32:41 CONNECTED to 'SWIFT-R7- 
CNBTIMDD:CustomNeighborhood' 
SWIFT Portal 2016-01-06 20:43:57. 10th of io SWIFT Payments initiated 
Andrew Cubbon 2016-01-06 20:44:28 DISCONNECTED from 'SWIFT-R7- 
CNBTIMDD:CustomNeighborhood' 
Andrew Cubbon 2016-01-06 23:31:17. primacy.support Type 10 log on 
Andrew Cubbon 2016-01-06 23:31:30 primacy.support Type 10 log off 
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System / Date Time Notes 

Custodian 
Andrew Cubbon 2016-01-07 17:05:23 Primacy.support2 Type 10 log on 
Andrew Cubbon 2016-01-07 17:06:28 Primacy.support2 Type 10 re log on 
Andrew Cubbon 2016-01-07 17:06:44 Primacy.support2 Type 10 log off 
Gary Kermode 2016-01-07 17:30:19 Evidence of Network logon "Type 3" : 
Gary Kermode 2016-01-07 17:30:32 Malicious PowerShell activity observed in event logs 
DC 2016-01-07 18:05:00 Malicious PowerShell activity observed in event logs 
DC 2016-01-07 18:20:00 Malicious PowerShell activity observed in event logs 
Roz Melia 2016-01-07 18:26:00 Malicious PowerShell activity observed in sean ines 
Roz Melia 2016-01-07 18:46:00 Malicious PowerShell activity observed in event logs 
Roz Melia 2016-01-07 18:49:00 Malicious PowerShell activity observed in event logs 
DC 2016-01-08 00:47:00 Malicious PowerShell activity observed in event logs 
een Server 2016-01-08 00:49:56 Malicious PowerShell activity observed in event logs 
DC 2016-01-18 10:04:41 Terminal services event log 
DC 2016-01-19 00:44:08 Malicious PowerShell activity observed in event logs 7 
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g. Appendix 2 


The following table below represents the initial controls that were recommended in order to isolate and 


mitigate the initial intrusion activity. This list was provided to CNBT on 1 March 2016. 





Incident initial Mitigating Controls 





Network Sensor with detection rules in place 





Blocking of hackers infrastructure 





Increase SRA/Remote access log retention 





Increase Firewall logging retention 





Increase security event !og size for all hosts 





Monitor and alert for privilege account usage 





Monitor for accounts added to active directory 





Confirm active accounts 





Ensure network shares require AD authentication and audit current permissions 





Implement application whitelisting, in audit mode initially 





Blacklist the identified hacker tools 





Consider implementing 2factor for remote administrative access, or access to the servers at 


minimum 
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Set up isolating controls for the Primacy server (best efforts in the short term) 





If it is not needed, disallow internet access for the Primacy server 





Schedule or manually allow times the Primacy account is allowed to logon 





Acquire spare hard disks for workstations 





Build clean image for workstations 





After necessary backups, with the new drives restore all workstations with a known clean image 





Manual removal of the hackers malicious tools and software 





Final Reset Passwords in Active Directory 





Final Reset Passwords Other Services 
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A copy of our letter of engagement dated 19 January 2016 and the variation letter dated 9 February 2016 is 


attached below: 


Brrictly and Confidential 

Cayman National Bank and Trust Company (Isle of Man) Limited 
Cayman National House 

478 Hope Street 

Dox; 


Isle of Man 
TMi sAQ 


Atm: Ian C. Whan Tong Esq, Group Legal Counsel 
4g Jancary 2016 
Dear Sizs 


Provision of forensic technology, cyber security and investigative services 
to Cayman National Bank and Trust Company (Isle of Man) Limited 


‘Thank you for engaging us to provide you with services on terms which are described in this letter, the 
attached Forensic Technology Solutions Terms of Business (Appendix 1) and Terms of Business 
(version ToB 01/16). These together form the agreement between us. 

Background and purpose 

Cayman National Bank and Trust Company (Isle of Man) Limited (“CNBT", “you") detected a number 
of unusual SWIFT payments as part of your daily reconciliat es Peecederes cure eve 
commencing 4 January 2016. Following an internal investigation, you do not believe payments 
were initiated itirast y and as a consequence, you believe that the Company has been the target ofa 
network breach. However, your initia) investigation suggests that this banking fraud was perpetrated 
using your legitimate systems, user accounts and credentials. 


You have instructed us to provide forensic and cyber investigative services in connection 
with this ongoing investigation. You wish to engage PwC to provide forensic technology, cyber 
incident res} and investigation services in order to help CNBT understand the nature, impact, and 
where possible, the root cause of the incident. 

As set out in more detail below, you have asked us to preserve forensic images of a number of 
computer systems, including those which have iyo il sg ne systems. You have also asked 
us to undertake investigative steps and computer forensic ysis to attempt to determine the 
sequence of events that led to the perpetration of the fraud. 

‘The services 


AS of. response to this security incident, you have requested that we provide forensic 
tadaulstr ote security investigation and incident response services. Our work will be split into 
three phases. 

Phase 1 — Preservation of Data 

We will work with you to obtain forensically sound copies of nine computer workstations (the "Target 
Workstations”). We will also work with you to obtain forensic copies of up to four potentially relevant 
server systems in total (the “Target Servers"). We understand that you have a total of six Virtual’ 
servers, which are hosted across two physical servers. We also understand that you have a single 
physical Dell 1600-series Secure Remote Access server (the “SRA Server’). We will determine which 


PricewaterhouseCoopers LLC, Site Ci Road, Douglas. 
Telephone +44 (0) 1624 689689 Fees 244 (0) 2624 659640 


Pemnennsecorces 
kage ont hee The 
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Fee ee aaa ectentinly selerant base’ on additional technical scoptng actitties thet wy sill 
when onsite. 


Where itis not practicable to perform fall physical forensic imaging of any of the abovementioned 
systems, we will work with you to generate ‘live’ forensic images or selective logical copies of relevant 
data. For systems such as your Microsoft Exchange email server (the “Exchange Server’), we will work 
with you to a logical extraction of the relevant email datal (s) (the “Email Data”), as 
opposed to forensically imaging the entire system. 


Where any of the abovementioned systems are not owned by you, you will provide us in advance with 
written confirmation, with the appropriate documented approvals from the third party, that they: 


¢ Acknowledge we bave permission to access the third party systems for the purposes of forensic 
data capture, analysis and processing the underlying data; and 
© Agree to the clauses outlined in Appendix 1, specifically section A — paragraphs 2 to 4; section 
B — paragraph 6 to 13 and Section C ~ paragraphs 14 and 18 to 19. 
Further, we remind you of your obligations in clause 2.3 of the terms of business and you agree that we 
accept no liability (including liability for negligence) to you or any third parties for any consequences 
of capturing, analysing and processing data from any systems owned by third parties. 
We assume that the Target Workstations will each contain a single hard disk drive of no more than 
500 GB in size. We assume that each of the Target Servers’ system / primary hard disk drives will be 
of no more than 500 GB in sire, and where any additional non-system storage is attached / contained 
within these systems, this additional non-system storage will be no more than 1TB in size, per server, 
bet collectively no more than 2TB. 


We assume that the Email Data will be no more than 250GB in size, once extracted. 


Wnatee severe that each of tha Zaseet Workstations wll be powered off spon técetpt and each of the 
‘Target Servers can be powered off if necessary. 


We will require direct physical access to each system, and we assume that we will be provided with any 

decryption keys necessary to interpret the underlying data. 

We will Eaise with you to preserve relevant log data from any systems not described above, which are 

identified by you, or by us as 2 result of farther scoping conversations, and are believed to be relevant 
ition objectives. Initial ing conversations suggest that perimeter system log data is 

very limited, ine to the frequency at which these logs begin to crerwrite teemsalves. Specifically, we 

have been informed that log data relating to remote access into the CNET IT environment is limited to 

a maximum of 24 hours. 

Phase 3.1 — Targeted Analysis 

Wewill perform forensic analysis of two of the Target Worl ions, known to have been involved in 

the fraud, based on investigation activities already performed by you. These are the Target 

Workstations used by Andrew Cubbon and Rosaline Melia (the “Breached Workstations’). We will 

also forensically yse the Target Servers. 


We will attempt to ind jently establish the sequence of events that led to the ation of the 
fraud. This analysis will include searches for malicious software ("Malware"), and will include the 
generation of system timelines. Where we identify Mabware, we will attempt to establish the initial 
infection / delivery vector together with its capabilities and usage — including determining if any 
evidence exists to suggest how the Mahvare has been used. 

We will conduct a deep scan across all Target Workstations / Servers for current and historical threat 
activity, using proprietary PwC Malware signatures. 
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‘We will also conduct a scan of the Email Data for any evidence of Mahvare or known malicious links, 
contained within emai] messages. 


Phase 3.2 — Optional Analysis of Remaining Workstations 

Depending on the results of phase 2.1, you may instruct us to perform similar forensic analysis steps 
across the remaining seven Target Workstations. We will request authorisation from you in advance of 
incurring any costs for this phase. 

Phase 3 - Reporting 

Upon completion of our investigation we will provide you with a fact-based r rt covering our 
findings, ie wil bea matier for uu to datermioe what actions taheren esti i ar as upon 
receipt of our deliverables. 


Additional Data Preservation and Further Work 


Depending on the results of phases s and 2 we may be required to preserve and analyse additional 
data, such as other computer systems. We muy also be reqoired to preserve log data from other 
systems such as gateways, proxy servers, load balancers, network intrusion systems, and any other 
een are ikely to contain data relating to internet access or data transfer within or outside of 
¢ CNET IT estate, such as relevant third parties. The scope and estimated costs of any further 
preservation, analysis or other phases of work will be agreed separately, as an additional schedule to 
the engagement letter. 
Deliverables 


As outlined within phase 3 above - upon completion of our investigation we will provide you witha 
fact-based forensic report covering our findings. It will be a matter for you to determine what action is 
taken in relation to these matters upon receipt of our deliverables. 

We will provide no opinion, attestation or other form of assurance with respect to our services or the 

i mn upon which the services are based, other than to commit that we will work to the 
standards within our industry for this kind or work and to PwC standards. We will not audit or 
otherwise verify the information supplied to us in connection with this engagement, from whatever 
source, except as specified in this engagement letter. The procedures we will be performing will not 
constitute an examination in accordance with generally accepted auditing standards. 

Timetable 


We will start work on receipt of a signed copy of this engagement letter. The services set out in this 
letter are by their nature fluid but in advance of each stage of the services we will aim to provide you 
with an estimate of how long it is Lkely to take. We will keep you regularly informed of our progress (as 
well as likely costs). Should we anticipate difficulties in meeting any agreed timetables we will inform 
you in advance. 
Staffing 
Steve Bi wurst is the person in ye of providing the services to you, assisted by such other staff 
pp ermcpetptcbead eae Folptad peor from the Forevots Techoions bannece 
ren ‘petricerenherp oa Ee Uren patties eatecbaicll investigation at 
ysis, y Kris McConkey and supported iver Smuth. If we believe that it is y for us 
to change any of the named individuals we will let you know. aaa 


Client contact 
We will report to you throu; it, as Group Legal Counsel and [an Bancroft on all written 
piled pobt Riri santrdatin fer cater pereteenl Tan Bancroft, as the MD of CNBT, bas 


the knowledge, experience and ability to make decisions in relation to the factual circumstances of this 
incident. 


rm 


pwe 


Additional provisions 
Accessing PwC systems via your network 


You agree that our partners and staff may access the PwC network via your internet connection using 
PwC computers, We each accept the risks and neither of us will have any lability whatsoever to the 
other in this regard. 


Limitations 
The services will not constitute an audit or other assurance engagement. 


Your responsibilities 


You will be responsible for the provision of information relating to existing policies, plans or 
procedures, IT and security infrastructure, log files, network diagrams, server configurations ond any 
other information we require in order to undertake our investigation. This will also inelude access to 
CNBT and external IT personnel who are able to advise on netivork and systems architecture. 


Quality of service 


We aim to deliver a distinctive experience to our clients that ix consistent with what they expect from 

us. At the end of the engagement our Client Feedback Unit may contact your team and conduet a short 

Client Feedback Survey over the telephone or web-based as preferred. Ifyou raise any issues which 

require follow-up, Steve Billinghurst or Kris McConkey may call you to discuss these with you in more 
letail. 

Confirmation of agreement 

Please confirm your acceptance of the agreement by signing the enclosed copy and returning it to us. 


faithfully 
Lew 
PricewaterhouseCoopers LLC 
Copy letter to be returned to PricewaterhouseCoopers LLC 


Tnecept the terms of the agreement on behalf of Cayman National Bank and Trust Company (Isle of 
Man) Limited. 
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Fees 


Gor fees will be charged on the basis of time spent and in accordance with the “Basis of fees” clause in 
the attached terms of business. Our fees will be calculated on the basis of the following hourly rates, 
which have been discounted by 15%: 


Rate per hour (£) 


On the basis of the scope described above, we estimate the costs as follows and will revise this estimate 
during the project if necessary. 


Preservation of Data 


2 
za‘ Targeted Analysis 

2.2 Optional Analysis of Remaining Workstations 
3 Reporting 


We therefore estimate the total cost for phases 1 to 3 will be in the region of £48,000 - £67,000. 
The above fee rates and estimates exclade VAT. Ont of pocket expenses incurred in completing our 
services will be added to our fees. 


We will issue interim invoices at the end of each month and send these to Ian Bancroft, copy Ian C. 
Whan Tong. In accordance with the attached terms of business, all invoices are payable 14 days after 
the date on the invoice. 


Terms of business 


Clause 2.5(ii) is deleted. Any responsibility that we have to detect fraud is set out in the services 
section above. 


Limitation of liability 
We draw your attention to clauses 8 and 12.3 in the attached terms of business (ToB 01/16) which 
amongst other things limit (i) cur total aggregate liability for all claims connected with the services or 
the agreement which we have agreed willbe 3 times fees ot £100,000, whichever is preater and (i) the 
time for bringing any such claim. 

Where there is more than one addressee to our deliverable, the limit(s) of | inclanse 8 
will have to be allocated between addressees. Such allocation a pepeirice Lemp nyt 
Moses tales opgerno obligation to inform as oft if (for whatever reason) no such ot 
allocation is agreed, no ressee will dispate the validity, reeability or operation limnit{s) 
liability: cathe grounds that no such allocation was agreed. : 





Appendix 1 - Forensic Technology 
Solutions Terms of Business 


A data, or of interruption to any of your service(s), 
a Forscsic maging: you agree that we will not be held Kable for azy 
losses or costs that you may incur as a result of 
any such damage or interruption. 


——s i — B. Incident R mse and Computer 
S Genera) Considerstions a 8. Network Defence 
7 « ‘ 5. You require us to perform incident response (IR) 
1. You have instructed us to provide forensic " 
IS peinines weith the qyber or computer network defence (CND) operations. 
investigation. Specifically we understand that you 6. In addition to ‘Forensic Imaging”, details of 
may require us to provide forensic imaging and which are incladed in this appendix, IR and CND 
incident response and computer network defence may also entad: 
as forther described below. 


* (i) Network security monitoring (N in 
Forensic Imaging onder to Soeatif caalicines itboced Cstic 
You may request that we perform forensic resulting from attacks which are 
imaging. The forensic imaging process entails: circumventing existing defensive 

infrastructure and malicious outbound 
(i) the creation of an exact electronic image of traffic which may be originating from 
the electronic media (Le. the source media) to compromised host machines. 
be provided by you in connection with the 
services; and (@) Enterprise host scans in order to identify 
indicators of compromise (IOCs) on 
(i) subsequent processing of those images to laptops, workstations or servers. Details 
enable forensic analysis. of [OCs can be used to determine which 
machines in an enterprise have been 
» We will image the source media using computers compromised and provide threat 
specially configured for forensic use. We will use intelligence of an attacker's tools, 
forensic software and hardware to enable us to techniques and procedures (TTPs). 
take an exact image of the source media (which 
may inclade personal communications) which will (iii) Analysis of log files from a variety of 
devices (VPN concentrators, DNS servers, 
hy non-invasive to firewalls, web proxies etc.) in order to 
the source media (i.e. it write protects the media correlate events relating to a network 
and does not alter, create or delete any data on it). intrusion across the enterprise. 
At the end of the imaging process, we will retarn 
the source media to you. 7 NSM requires the connection of one or more 
hardware devices directly to your network in 
‘The process of forensic imaging over the network order to t relevant network traffic flows. 
requires us to connect our computers and These network devices will operate in non- 
equipment directly to your computer network, blocking mode and will not or otherwise 
and to execute a piece of software on your servers interfere with traffic traversing your network. 
and computers. Although this should not require 
your computers to be taken out of service or cause You we may record and yse full content 
interruption to your service, in the unlikely event ¢ chick may include personal pecan of 
of damage being caused to vour hard drive or your network traffic for an agreed-upon period to 
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allow for in-depth analysis either at your offices 
or ata secure forensic lab within a PwC office. 
Additionally, you agree we may anabyse specific 
network trafic in real tzne to datect evidence of 
known malicious communication patterns and 
traffic containing unrecognised malicious code 
(malware). We will agree the namber and 
Pecesoent of NSM devices with you, and network 
infrastructure staff identified by ‘you will be 
responsible for provisioning suitable switch ports 
for the NSM and making any 
configuration ges to that the NoaTa devices 
can communicate with any relevant signatore 
update and threat ysis systems outside your 
network Inthe event of interruption to 
any of your services, you agree that we will not 
have any Liability for losses or costs that you may" 
incur as a result of any such interruption. At the 
gad of fhe agreed monitoring pesiod the NSM 
equipment will be disconnected from your 
network. Any costs associated with the use of 
sack NSM equipment will be agreed with you in 
vance. 


Due to the volume of data, it is not typi 
practical, following the completion of an 
engagement, to archive and retain all network 
traffic captured as part of NSM. Following the 
completion of our engagement we may therefore 

y certain network traffic captures which are 
not pertinent to the nature of the work we have 
been engaged to conduct. 


Enterprise host scans require the deployment of 
custom scripts or commercial off the shelf (cots) 
Sehorare Heese by PwC in order to ra ia 
onan network for 

toce We wil aise with the Trcoatacts 
nominated and identified by you as being 
responsible for = raed and ertiad estate 
management in order to determine the 

or software can be most effectively and 
ieee religion paleo 
infrastructure team should any 
network changes be required. You a mil identify 
any hosts on your network which you do not wish 
toastall te ost sexe softrave oo) ot which you 
prefer we with manually and we will agree 
the host scan population with you prior to 
commencing. All scripts and software ges 
used by Puc for enterprise host seans 
thoroughly tested and should not interfere with 
any security or other software already on the 
machines. In the unlikely event of damage being 
caused to a host machine or interry) of any of 
your services, you agree that we will not have any 


Liability for any losses or costs that you may incur 
axa reals of ay such So diciher cre 
We will work with you to ensure that any scripts 
or software used for enterprise host scans are 
removed from hosts following the agreed 
monitoring costs associated with the 
use of such ee ee wall be agreed with 
you in advance. 


. You consent to the storage of any malware and 
metadata ied by you, or anyone else working 
with or for you, to us in the provision of these 
services, in our internal cyber intelligence 
sbtanenes Woe sae Ube spysopetate teckel 

\d organisational security measures to preserve 
the coubdentialty of such information. 


You agree that the malware and metadata may be 
combined with information from a variety of 
other sources to enhance our cyber security’ 

reports and services Saleh roan eke 
parties, provided you cannot be identified in such 
reports and services. 


Modern computer systems contain such 
that ts eat zcpecationally 

components that it is neither 
practical nor eco: feasible to determine 
these components exact ional behaviour 
with certainty. Accordingly, we make no 
warranty that our work will have detected all 
be bavebean ap 

or resent on the com 
beat bce ben roa onthe compat. vac 
determine the exact operational behaviour of the 
mahvare which we have examined. 


. You acknowledge that in the course of our work 
we may become aware of issues such as data 
breaches, network intrusions, or the presence of 
malware and that these may Eres © 
regulatory reporting obligations which you are 
subject to in one of more territories in which you 
operate (such as the Information Commissioner 
in the Isle of Man, the ICO in the UK and the 
SEC in the US). In such instances, you agree that 
wer Bae hae ay responsibility to raise with 
youthe to report unless explicitly stated in 
our letter of engagement, not any liability for any 
Sern co yor past to sepert-At yous retorts 
PwC gladly asst 10 os peevaciog fo cepeet 
and in any subsequent discus: 


hh 


Terms of business 


2.6 Oral advice and draft deliverables - You my 
‘only om our final written deliverables and not 
oa ora) advice ox draft deliverables. Ifyou wish to 
rely on something we have said to you, please let us 
know so that we may prepare a written deliverable 











Introduction 
‘Terms ~ These terms apply to the services you 


with any claim by anyone else in relation to the 
services. 


Changes — Either we or you may request a change 
to the services or this 
Hhective 


June 2016 


Serr pete: the 
-Ia sesvices 
Doomed korledgs- 1a paterning th 
other services. 
Your responsibilities 
Information — In order for us to advise you 
pti lenlgeclocig hr mor 
you, oF C4 
you, is (a) given promptly, (b) accurate and (¢) 
coments aad Gl say seeemnions ce 
We will vot verify any information grea to es 
relating to the services. 
Your obligations ~ Our performance depends on 
Tip We rye bbla far yt rsag 
feare| any. 
from you not fulfilling your obligations. 
Fees 
Payment for services ~ You agree to pay us for 
our services. Any estimate we may give you is not 


Batis of fees ~ Oas fees may refect act only time 
spt beta sech actors empty wey 
jaharval tale use of tackalgese, Vaste’ 

resesrah topather wh the ee ce sls asd 


other purposes. 

Expenses — You will pay any reasonable expenses 

poral regan trl 

Taxes - edhe & for Baserd 

VAT, that are due in nomieeteat 

services. You will pay us the fall amount of any 
that you are 


rate set by law, 
Confidentiality 
Confidential 


— We and you agree 
eae Sutcmin en” 


ToB O16 
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C. General Considerations 


You give us permission to access and process by 
whatever means necessary for the purpose of 
carrying oat oat satires, £5 of ba data peosidad to 
us by you in connection with this engagement. You 
also give us permission to make T copies of 
the data as may be necessary in order to carry out 
our services. You confirm that in carrying out our 
Services, we will not be in breach of the UK's 
Computer Misase Act 1990, the UK's Data 
Protection Act 1995, the Isle of Man's Data 
Protection Act 2002, the UK's Telecommunications 
(Lawful Business Practice) (Interception of 
Communications) Regulations 2000, or other 
equivalent legislation in any jurisdiction. 


14. Use of sFTP services 


(i) The PwC sFTP service is provided asa 
means of transferring files to and from 
PwC solely for the ofthe 
engagement, and not be used for 
any other purpose. 


(i) Data on the sFTP server is not backed up 
and will be regularly removed. Files more 
ee ener 
avtomatically (including in sub- 
directories), 


(si) SFTP accounts not used for more than a 
month may be disabled. 


(ix) Individual usernames and passwords are 
for engagement ase only. Individuals 
mast not divulge their password to any 
unasthorised persons. If you suspect t 
a password may have been 
you must inform PwC immediatehy sothe 
password can be reset. 


@&) ob ats tenn iested ating Eves Te 
service must be Lepore teg 
container, such as azip adhering to 
the standards set-up under claase 17. 


15. All data that is transferred between you and us, 


other than data transferred by Ligon Om 
ee ee 


and 
pasar herrea y encrypted unless Pi Sela ee 


requirement is waived by you or us. This 
requirement may be waived in writing prior to 
transfer. 


regardless of any confidentiality markings on any 

communications. 

Refe: to you and the services ~ We 

wish to toyensadtheverns neha 

performed for you paar] ‘Our services, 

Foanpwe cs Sana dseesciaresme eet 
information. 


your confidential 
Per forsainig vexvicen for eavers You serse 
that we may perform services for your competitors 
or other parties whose interests may confbet mith 
yours, as long as we do not disclose yoor 
confidential information and we comply with ocr 
ethical cbkgations. 


Intellectual property rights 

We wall own the inteZectaal ts in the 
SikveraSle and any estes outed oder is 
agreement, and you wall have Jasnve, 
transferable bevace to use the dekverables for your 
own internal purposes. 


Data protection 


Personal data ~ You agree that we may process 
Your personal data forthe parpases of ay of) 
services, (ti) mamtaining our 
Tiimlaistatire or sent eipicniie masscemiest 
systems, inchoding the use of IT outsource 
providers, (iii) quabty and risk management 
reviews, and (tr) providing you with information 
about us and our range of services. We may 
transfer personal data to other PwC firms and our 
subcontractors in relation to any of these purposes. 
Data processor — Where we act as your data 
Processor, we will act only ca lawfal 
equivalent to Pertedacten baa repeal 
on 
Frclealte Dats Wetcton Aa soos (may 


See rneiere=iee for the perposes in 
cise pret ear of pron ta 
outside papas Area (bat only toa 
i tho ins coun vk poses 


Liability 

Specific types of loss — You agree that we will 

not be lable for (i) Sees ox cocrouies of va Bowe 

your systems, (ii) as cf pen goodwill, business oa) 
a or benefits 

akin ectonngerataioa ie 


Liability — You agree that our total bal 
Gachoding cerest) oval deans peor 
tenes sagem ain al eot 
prep eee med ey 
a son coment 
Demers 


Sharing of limit - Ti nnn 
accept habibty to more one the hit on 
our habdity in clause 8.2 will be betreen 


Che ds ne Choee pasties Rees hey shuse Xt, 


Unlimited Bability — Nothing to 
aiakspnan ag etamke 


Satya) ant dietat 
cannot by law 


a’ 
pwe 


. Suitable encryption is is defined as using AES-128 
or better and using a PwC-approved tool and with 
a suitabh~strong password. A suitabh~strong 
aserond so characters of mbes GPa ya 
passphrase using memorable words but nota 
familiar catch phrase. 


17. It is our practice to retain one copy of all data 
provided by you to us (even if it includes persona] 
data) for our own internal purposes. 


18. If, during our examination, we should encounter 
any materials where the possession, distribution 
or showing of which amounts to, or may amount 
to, a criminal offence, we will immediately contact 
you where we are not legally prohibited from 
doing so. We would normally expect such matters 
to be reported to the police by you. In the event 
that this is not done we reserve our right to 
terminate the en; We will not be ina 
position to legal y such materials to you, 

obligation to report 
their existence to the police ves. Where we 
are not legally prohibited from doing so, we will 
inform you in advance of any instances where we 
have to carry out these obligations. 


8.5 Noclaims a; individuals - You to 
Sieg cay cath (ached ene ia nacignes is 
connection with the services only againct us, and 
Vhere our individuals 
as partners, they are acting as one of 
Uwe are liable to you under 
UsTerms pees pone 
toyou in respect same loss (save for 
coatracteal srangements with them), then ()) the 
compensation payable by us to you in respect of 
that loss will be reduced; (estes ter 
a bor pepe cho 
he esteat of he retpoasibdat cf that ether pers 
tts eceat be ef) oy 
ot exclusion placed on the amount that persoa will 
pay or (b) any shortfall in recovery from that person 
(for whatever reason), 
PwC firms and subcontractors 
Subcontractors — We may use other PwC firms 
(each of which is a separate and i 
entity) or subcontractors to provide the semces. 
‘We remain solely for the services. 
Restriction on cl s — You agree net to bring 


another PwC Srm (or its partners, mex} 

directors or exaployees) of our subcontractors in 
coanecton with the services, 

Group members — obaplres boy peer pad 

member, sidianes, ascociaf 
compenes und ay Leldag compen (ones 


respect of any habihty relating to the semnices or this 
agreement. 

Materials 

Policy ~ We may retain copies of all materials 
relevant to the services, including any materials 
given to as by you or on your bebalf 

Release - We do not release materials which 


agreed to do so. We may 
require a release letter from the recipient as a 
condition of disclosure, 


Termination 

Immediate notice ~ Either we or you may ead 
this agreement immediately by giving ence 
to the ber if i) the otber mate 


and does not remedy the br aiden Gi) 
teeter er appns ide tba ops 


arrangements) may breach a legal or regulatory 
requirement. 


30 days’ notice — Either we or you may end this 
agreement on 30 days' written notice. 

Fees payable on termination ~ You agree to 
pay us for all services we perform up to the date of 
termination. Where there is a fixed fee for services, 
you apes to py ss) us for the services that we have 
performed, basis of the time spent at our then 
current hourly rates, up to the amount of the fixed 


ToB ONS 
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fee. Any contingent element of the fees will remain 
gab nutiasetin Gemmmeerone 
Ma contingent fee cannot be paid for 


Dispute resolution 


Mediation ~ If a dispote arises, the parties will 
‘teaagt to resolve st by discessicn, sepotistion and 


be subject to the exchassve jurisdiction of the Isle of 
Mas courts. 


Limitation ~ Any claims must be 

slits nvakeiasesasoaen 
should hare been aware of the potential claim and, 
in any event, no later than 5 years after any alleged 


General 

Matters beyond reasonable contro] - No 
party will be liable to another if it fails to meet its 
obligations due to matters beyond its reasonable 


Entire agreement ~ This agreement forms the 
entire agreement between the parties in relatica to 
the services. It replaces any earlier agreements, 


representations or discussions. Subject to clause 
0.4, no party is liable to any other party (whether 
for negligence or otherwise) for a representation 
that is not in this agreement. 
Your actions ~ Where you consizt of more than 
ove party, a5 act or omission of one party will be 
pointe le haheel hare ae deal with 
at ~ No; or 4 
their rights or obligations under this apreemest 
without prior written consent, bet we may porate 
the agreement to a transferee of all or part of our 
business. This novation will take 


the 
pric to that date and Ge the combined agrregated 
Kabibty of us and the transferee will not exceed the 


Brrictly fess 
Natio 
aman National House 
478 Hope Street 
Douglas 


Isle of San 
TMs 1AQ 


and Confidential 






9 February 2016 
Reference: PRoz5/SC/Ih 
Dear Sirs 
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Atm: Ian C. Whan Tong Esq, Group Legal Counsel 


Variation letter — Project Nutmeg / Pallid 


list of our ability before the novation tock place. 
‘We may also transfer or deal with oar nghts im aa 


unpaid invoice without notice. 
Sishtoet ibd purvies— Exeiaspd otis 
clauses 0.5, 9.2 and 9.3, a person whois net a party 
to this apeereat bat bo nights wader the Cootracts 
(Rights of Third Parties) Act 2003 (as may be 
amended) to enforce any term of this agreement. 
‘The PrC firms and individuals referred to in those 
claases may enforce them in their own right. Their 
consent is not required to vary or rescind this 
agreement. 
Quality of service - Ifyou are not satisfied mth 
the services, or have suggestions for th 
please contact either your engagement orasy 
other partner in the Srm who is located at our 
sony sas eamplal Toomey tooes 

at You may also cootact 
Eee charred contests Engin 
Ww. 
Survival ~ Any clause that is meant to coutioge to 
apply after termination of this agreement will do so 
incleding, but not limited to, 2.3, =-4, 2.6, 2.7,.4) 5 
6, 7,8, 9 14.3, 12, 13 and 25. 
Interpretation 


In this agreement the following words and 
expressions have the meamsngs pres to them: 


below: 
partner — this term refers to a member of 


services ~ the services set catia the engagement 
phat tered yienere er 
engagement letter to which they 

any schedeles) 

116, « kmited labiity compe ted in the 
Ua : Py 
Isle of Sian whose registered ofbce us tt Say 
Ciseelar Road, Douglas, Isle of Man, IMi sSA 


you, your ~ the party or parties to this apeement 
(excloding us). 


ToBOMIC 





Bank and Trust Company (Isle of Sian) Limited 







We refer to the letter dated 19 January 2016 and its attached terms of business (version ToB 01/16), 
which together form the agreement under which we were engaged by you to provide services. 


You have asked us to provide the additional services set out in this letter. This letter forms part of the 


agreement. 
Background and purpose 


Having substantially completed Phases 1 to 3 of the original scope of services in the letter dated 









19 January 2016, we have identified that Cayman National Bank and Trust Company (Isle of Man) 
Limited's ((CNBT", you") network has been compromised and the network is still actively 


communicating with external attackers. 


believe some additional work should 
The additional services 





Timetable and duration 


We will start work on receipt of a si copy of this 
Peay sietet tie elas create pace 
services. The services set out in this letter are by their nature fluid bot in advance of each stage of the 


You have instructed us to provide the additional services set out in Schedule «. 


As discussed on a telephone call with yourself, Stuart Dack, and Ian Bancroft on 4 February 2016, we 
Be wisdectakan io ordos to secure and protect soar neteerk. 


engagement letter, although some of the activities 


accecptance due to the critical nature of the 


services we will aim to provide you with an estimate of kow long it is likely to take. We will keep you 
regularly informed 


of our progress (as well as likely costs). Should we anticipate difficulties in meeting 
any agreed timetables we will inform you in advance. 


June 2016 


merce! 1 Poceneenessaconces remains Unies scorer sri hy pa wie werent n Ensent 
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Staffing 


Steve Billinghurst is the person in charge of providing the services to you, assisted by such other staff 
aswe are required. We will also involve specialists from the Foreasic Technology Services 
(FTS") team from the London office of the PwC UK firm to perform the technical investigation and 
analysis, led by Kris McConkey and supported by James C Campbell. If we believe that it is necessary 
for us to change any of the named individuals we will let you know. 




























Fees 











On the basis of the scope described above, we estimate the costs as follows and will revise this estimate 
during the project if necessary. The fees for phase 6 have already been communicated to you via email. 















4. Incident Response, evidence preservation and analysis 
5. Incident containment and mitigation 
6, Network threat detection/Monitoring 


21,000 — 24,000 
25,000 - 28,000 











We therefore estimate the total cost for phases 4 to 6 will be in the region of £66,000 - £82,000. 
The abave fee rates and estimates: le VAT. Out of pocket expenses incurred in completing our 
services will be added to our fees. 


‘We will issue interim invoices at the end of each month and send these to lan Bancroft, copy Ian C. 
Whan Tong. In accordance with the attached terms of business, all invoices are payable 14 days after 
the date on the invoice. 




















Confirmation of agreement 










Please confirm your acceptance of this agreement by signing the enclosed copy and returning it tous. 
Ye ly 
















—_ 
terhouseCoopers LLC 


py letter to be returned to PricewaterhouscCoopers LLC 


T accept the terms of the agreement on behalf of Cayman National Bank and Trust Company (Isle of 
Man) Limited. 
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Schedule 1 - Additional services 


This schedule sets out the scope of the additional services that we will provide under our variation 
Ietter dated 9 February 2016. 


‘Matters to be covered: 
Phase 4 - Incident Response, evidence preservation and analysis 


We will undertake additional forensic captures of up to a maximum of 6 servers that may have been 
involved in the cyber security incident to date. This activity is equivalent to phases s, 2.1 and 2.2 in the 
original engagement letter but for a smaller target number of servers ‘workstations. Our work will 
focus on the = target servers, being the *Primacy” server and the “Web Server’, but we will capture 
images of a further 4 servers in the event they are required to be analysed at a later date. 


‘We will interrogate and anahyse the captured system data to attempt to establish the fact pattern of 
attacker activity including, where possible, details of how access to the network was acquired and what 
data was obtained and exfiltrated. From the data collected, we will also seek to establish whether 
additional machines have been used by the attacker and will advise whether any further remediation 
actions are required. For malicious software identified, we will attempt to establish its fonction and 
purpose, and identify a method of detecting its communications on the network, which will kelp to 
inform the remediation and mitigation plan. 


Estimated costs are in the region of £21,000 — £24,000 (Analysis and forensic capture). 
Phase 5 - Incident containment and mitigation 


Using the intelligence and forensic artefacts gathered from the investigation, we will Haise with you to 
create and execute a tailored containment and mitigation y which will seek to remove the 
aitaches from yous network and, atthe satoe tno, beat thelr abaley to revestabish aoser to your 
systems, 


Alongside the mitigation activities we will assist you in enhancing your ability to identify the attacker's 
future efforts to regain a foothold in your environment. This will inclade providing recommendations 
for enhanced logging, monitoring and auditing of key systems in your environment. We will also 
provide recommendations for incident management tools, processes and best practice for future 
network security improvements. 


Estimated costs are in the region of £25,000 — £28,000 (includes reporting, planning and 
prioritisation, including consultant time to assist with implementation/advice). 


Phase 6 - Network threat detection/Monitoring 


We will discuss with your IT staff and provide advice on an appropriate network span/tap location at 
which to deploy PwC's network sensor(s). These sensors provide us with a mechanism to monitor 
activities of attackers and contain PwC's proprietary threat detection signatures. 


‘We will kaise with your designated staff to deploy the PwC network sensor(s) in a location determined 
by yoo where they can monitor relevant inbound and outbound traffic between your IT environment 
and the internet. 


‘We will monitor network traffic for one month, after which all associated data will be removed from 

the sensor(s) and the sensor(s) will be removed and returned to PwC. During this time we will use the 
sensor to provide network-level visibility of the attacker's activities, y3e and document alerts from 
a Bevieals) a3 etvac Nog Ble fron the Settoes coe yer day for er intensive analysis in our 
forensic labs. 
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vane sensors required for endpoint and or network threat detection will be charged at £1,250 per 
w 


Estimated costs are in the region of £30,000 — £30,000. 
Other considerations 


Any verbal advice relating to mitigation or remediation will be followed up in writing, It will bea 
matter for you to determine what action is taken in relation to such advice upon receipt of written 
confirmation. 


Please note that we will provide no assurance opinion, attestation or other form of assurance with 
respect to our services or the information upon which the services are based. We will not audit or 
otherwise verify the information supplied to us in connection with this engagement, from whatever 
source, except as specified in this engagement letter. The procedures we will be performing will not 
constitute an examination in accordance with generally accepted auditing standards. 


‘You will be responsible for the provision of information relating to existing policies, plans or 
procedures, IT and security infrastructure and any other information we require to perform our tasks. 
is i personnel who are able to advise on network and systems architecture. 
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